import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.*;
import java.nio.charset.StandardCharsets;
import java.security.*;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.*;

/**
 * 数美SDK完整破解器
 * 
 * 基于实验发现：
 * 1. ep 使用 RSA/ECB/NoPadding 解密成功 ✅
 * 2. data 的前16字节可能是IV
 * 3. 需要从 ep 解密结果中提取 AES 密钥
 */
public class ShumeiCracker {
    
    private static final String PRIVATE_KEY_PEM = 
        "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCz8JyumzBRR1njdxPzCFpqWXrAUBiC4ycTbTDdWdpZkciwiXU5s/OxF5i7l+Hvwc9Ggjph/PKo7PpWhxZpzyEGpd6yVN9jAjJOt23o2TesgK8L/DAMhdJL8gNxKAQumbGF+ebMbcS8jWLxvDAqpmnEW8VdCLEjF6uqOPtcDmIkBF83W6oaeu32DzTr/NS16sUGQKxlflo9qPOl7VtcIsbR52klKK4uIyY23tWCouiyG84c/Uit+PleD5EYUGEu3p7IAAG5uJNzeUd0UjZDhy6x7ue+kGgcCmCNQ4zSS/bQHMknalwqJUvUSxtIf8dq+/D78m7d4Zt9n9ZD27t4Z2jHAgMBAAECggEAAr15RVdrpvE1NzeLADpyVghCzEbr+KJI6AzTn6tMneyQZ8/QDy7kWSAI3WJ0uFf1Nhepl/BoKZZiQYsRFk9nK1i/SWvtcu6HoZc9fzw/ksrq333ZpXcsOqfW0ZRQa/0/LNEfaKGLS2vDw/afrSaXmbvkB4SoXeZwYMk5Wq+FYxL/alrNpg/lzdvBlsCsTDA0G2RZrUVaO5yRTLRisBU+i8yORgnGkEwWvKpZYSFogCHSiYHiNXFy//C+sYWlK7DjmG8/+krKhqBRRfdeg7LFThHQpbEGTtueD57jw0PCo2yr6dqTvW9Qys+aWVNJk7RHNaI0yBFKWPadaHi3/olzkQKBgQDmz/FDpztS0fjKDIOjgDyE76Z6dRFenmKJM1eOFt+MniY6/vi4ylU51/Etm4k6dNJ1MVBoFfyT9X0U/4k7GNNUfIxMCJztUgY6EaCCt+09wk8pIvmOlRCmtxGwvmVC4nJVgUj3XJQ+wseblAkkW0+IuT3GKX0CdKFMU4q9aucLYwKBgQDHk3rQ8Ae4ci4oj+MehRI29SNpcXG6OHbrZ2EdsgqiFC1o/qv0269jtmCP7IqkGMdhTQrVetTHjZNZJH2bvUZ4o/0YT2+TTFPIkTb2/a0txUTBTKrbnAdXh/iPFZAGvBROEDN0MNKo/vGAfi0K836DeTyBIaYongm66Rn6pwnUTQKBgBveVaougfoxAhIbSrWuISCH8xjsE6nSA+G/Aj5Uwq8u1TzgVlWxkHLIgQVZt0sImfSufJ/kr7eJt42WgRJSoAmedC4mCBSbh8bxI+lEne+MC5TS9UDi/Ly0c/1cL8vQna93ScEcO4YMbJ97U1NBdyvx+eR4U/C89lDJ8YGHa9gzAoGAQ6sYsHFCXOKyDeTDoFyEUYgKqrzhT7/HaofR4Oy2OEBZKUl4anx2WnvC/+m3FG6mY7JoovuT29mABXCe+khR9aO8tBpy/WGa4t2B4nse1e8WIehp4i5kOuSKfZFVFUN+Kv3JRHMtakmO/v9JLHZlBhT8U9hh61GygOJ6gYdTiN0CgYAFz9iPy/xqLOUwiTNp3ImzhdZo9ol3Qlr9CfMWMFHqRA5AyYvly9ZzxTpUCpSA+qz6OXqAjJ0bhGQxW2KHpmcTyNGOPPca2vCaW8Mb1NTQueXpUBqX7alIkrRjUUyULteLb8FtyYl7mR3TVIu3FoO5anNwDZ+2y7R9WUEiOzY3NA==";
    
    private static final String ORGANIZATION = "qvdTr7A9k1DIU04ha4eP";
    private static final String APP_ID = "default";
    private static final long TIMESTAMP = 1761287286183L;
    
    private static final String EP_ENCRYPTED = 
        "qt0AJsNLEfayUx7S15jLfmQvMOpW6JJ+jCoxeXxn676R2OiN6xpLIQWSYe8ETFUF4+AaGrVY1wMCdyUPVaHM0J+8m+q/PUFgbiP3N8xSKQc4lIzzZuckbybYiFuLbEhcblmy162S5B70UJxzB6grhIVpsG/h0uw+JPaS2yTPpPVCiN/SImdOw2g12cun6niAwRZSQktZikzzbjwkRoiO8ehrwlAFJircnT1/1zba2oaGXLc/yU6cM2vWgJdyyoXJF4Mo/5XNBTDT+8yr1hPC5MKHWcTBB/isrRTD5CczInLgXHl48KKz18GkpPM7MML1GHb4pIjfTvu8hv/SLLW0sg==";
    
    private static final String TN_ENCRYPTED = 
        "BMWDCPVx97y8KsnGiff6u4lmEogvgO30LtR/QvfGyqQWadycCGkbGhL7jCKvJTHmlK0k+fDR0XKq8U2IINpo0+aiWg8+nwaXQofOsilfXgDzG0DK9WJuwfcOrzGUHBn4yGVXDj+SUklPWbq0fojYGLYendkSnSLYTzeYIusMyZ3HD2djXyUvekKz0cp39JgrD/Ovj2Nrwn4ffPHcIXgSjpd02QXn4LNb4/7q465mfS2oQ5fRqiRMcnxpUhSD3Ty15bXVKJpPVqlqpM+tcUcXVV4g7ggOux361BsPius8as1vd7wuK44EOJ56MJeATqROjECur2bWdftoWydjfZj5sw==";
    
    private static final String DATA_ENCRYPTED = 
        "wHBy2LDIay6WCgEybO8bw/5OxmVd4N++OJpwr/Tgjw+TA8iZ4HAy4bN8UWtwmeGz+dqU/zX6myCireq+q465rqUqpXLhma2aEPqTaNvUTv/Y71kVpkMBkgrjMnVkIi/iBV5eKsrTPfLWO8bt0mSbLM8ghswC2m2YRInkqWXHrc8Nw0JsNjwCllOUdtwe3NuIx8oQuQ2fqj1G3g3xMp6B4sWBNAo+SjTNuKnS4chvbaD3RYnGvSLyNYu+sqbKeRNofCwVn0lVrjCAGtC9d5nqhFiGw0vWksPfmCRn7vRsl7LnqcXb+Fal/hhREBsaRJdMrst3vOEeQI6pt3RGKZ3VOsliNziKbLiNnXp2zY2fin32okAFwIOczPgeQA1yAM4FCnuT9FYAMn5ecAOY7WFhJPcOqVThy0giCJrBzpIzEHXTin+BWBO1PR8wMzBqpf6us9mhBZGzu40mzVN34xXK646aMr8f2DcD9yGO20v5icEz3OUcAeayMq+YKmBoypmvQUnaGa8pjr7RfvvajY+7pu6QHqRAQ3NLY1KjIoT3PKjabb7owQ1Txw5+Ajfjen7VEeF/Dq03nPMtNOpqD3tCdWDHWir+akJcEPtPzK4Bo2K3FrLBZt2igZD6/04jtwoAojHibKqUM1Rj5h2iijH65eAU1XKTpqDPNtcP5lwa1bFNV+GvuzHM+N4gcoxiELhQeG7xiUcsZrJvadkDO2z+If9vLkXTSdMKrqozUjLRapyXpULcVL8negHnj+2vKZVdoGiDhXlm23XDFjLY91ZqX2eGfGNmpJxftl83N6q4dyXpzD2gR/chHfm0CukVlL8P8aPAfEDcAsyQETc5oVLzetGVSkGBbQl+axZu8U2Ap9CXaTi1b2VcI3he19nvgG8XEFnwP6Tbicm5PDDsiRjo2MRqfuPLWkcSHTmBlS6w8yrzAvth9x/bBLg8XLs8M/B/dKSfOa9sbptfTMmEuuhWbnqCyqnFSUt8lsFlcUbJdK02TcMbd789pANnrKTTfFeOUehu5XReHng4DfV7f6boQmJPnZfwuR8qFwp7vwme235RTloktlkQu/2QFl2LmCv+/8Za43dEdFba9Ae6I1p+50zunyIjGTE6/9RT+g/zgagzgV/qDDSM5VF6E2Ic62W/KkpfSPMHAk5Jwg0LlsSMnFXYCynZoDZ5M8s62V15VaEII3s/6wPCu4lba/BxPanRtw60EVsvrJ7B0mnG+hcW8AGVeG1ZBIhgPH887/bY+05b0MnSkhjlrys8GKSaukVbtnrLJmjePt+LdLe6tH2NTwxjbHhJR028ZWaQKvdC5BD2hRflDMBPKL68D6YJ2bitqnKKdEqYHdCMXtOXh68XUqwfkoF3phQtYHyrqF4Wsgukf3/gAlt/yF0dXFTIUzoDTc34MEAaLFENVFDt4PUnYw2SRT8i/bhi3tcavu6Hnjs=";
    
    private static String bytesToHex(byte[] bytes) {
        StringBuilder sb = new StringBuilder();
        for (byte b : bytes) {
            sb.append(String.format("%02x", b));
        }
        return sb.toString();
    }
    
    private static void printSection(String title) {
        System.out.println("\n" + "=".repeat(80));
        System.out.println(title);
        System.out.println("=".repeat(80));
    }
    
    public static void main(String[] args) {
        System.out.println("=".repeat(80));
        System.out.println("数美SDK完整破解器");
        System.out.println("基于RSA无填充解密的新发现");
        System.out.println("=".repeat(80));
        
        try {
            // ========== 步骤1: 解密 ep 字段（RSA/ECB/NoPadding） ==========
            printSection("步骤1: 解密 ep 字段（RSA/ECB/NoPadding）");
            
            byte[] epBytes = Base64.getDecoder().decode(EP_ENCRYPTED);
            System.out.println("ep 密文长度: " + epBytes.length + " 字节");
            
            byte[] privateKeyBytes = Base64.getDecoder().decode(PRIVATE_KEY_PEM);
            PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyBytes);
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            PrivateKey privateKey = keyFactory.generatePrivate(keySpec);
            
            Cipher cipher = Cipher.getInstance("RSA/ECB/NoPadding");
            cipher.init(Cipher.DECRYPT_MODE, privateKey);
            byte[] epDecrypted = cipher.doFinal(epBytes);
            
            System.out.println("\n✅ ep 解密成功！");
            System.out.println("解密长度: " + epDecrypted.length + " 字节");
            System.out.println("\n完整十六进制数据:");
            System.out.println(bytesToHex(epDecrypted));
            
            // 分析数据结构
            printSection("步骤2: 分析 ep 解密数据结构");
            
            // ep 可能包含：填充(00) + 实际数据
            // 找到第一个非零字节
            int dataStart = 0;
            for (int i = 0; i < epDecrypted.length; i++) {
                if (epDecrypted[i] != 0) {
                    dataStart = i;
                    break;
                }
            }
            
            System.out.println("前导零字节数: " + dataStart);
            if (dataStart > 0) {
                byte[] actualData = Arrays.copyOfRange(epDecrypted, dataStart, epDecrypted.length);
                System.out.println("实际数据长度: " + actualData.length + " 字节");
                System.out.println("实际数据（十六进制）:");
                System.out.println(bytesToHex(actualData));
                
                // 尝试解析为文本
                try {
                    String text = new String(actualData, StandardCharsets.UTF_8);
                    System.out.println("\n尝试解析为UTF-8:");
                    System.out.println(text);
                } catch (Exception e) {
                    System.out.println("\n无法解析为UTF-8文本");
                }
                
                // 可能包含AES密钥（32字节）和IV（16字节）
                if (actualData.length >= 48) {
                    byte[] possibleKey = Arrays.copyOf(actualData, 32);
                    byte[] possibleIv = Arrays.copyOfRange(actualData, 32, 48);
                    
                    System.out.println("\n推测的AES密钥（前32字节）:");
                    System.out.println(bytesToHex(possibleKey));
                    System.out.println("\n推测的IV（接下来16字节）:");
                    System.out.println(bytesToHex(possibleIv));
                    
                    // 尝试用这个密钥解密 data
                    printSection("步骤3: 尝试用 ep 中的密钥解密 data");
                    tryDecryptData(possibleKey, possibleIv);
                }
            }
            
            // ========== 步骤4: 尝试 data 前16字节作为IV ==========
            printSection("步骤4: 尝试 data 前16字节作为 IV");
            
            byte[] dataBytes = Base64.getDecoder().decode(DATA_ENCRYPTED);
            byte[] dataIv = Arrays.copyOf(dataBytes, 16);
            byte[] dataCiphertext = Arrays.copyOfRange(dataBytes, 16, dataBytes.length);
            
            System.out.println("data 前16字节（可能的IV）:");
            System.out.println(bytesToHex(dataIv));
            System.out.println("\ndata 实际密文长度: " + dataCiphertext.length + " 字节");
            
            // 尝试从 ep 解密结果中提取密钥并解密
            if (dataStart > 0 && epDecrypted.length - dataStart >= 32) {
                byte[] keyFromEp = Arrays.copyOfRange(epDecrypted, dataStart, dataStart + 32);
                System.out.println("\n使用从 ep 提取的密钥:");
                System.out.println(bytesToHex(keyFromEp));
                
                tryDecryptData(keyFromEp, dataIv);
            }
            
            // ========== 步骤5: 暴力搜索密钥位置 ==========
            printSection("步骤5: 在 ep 解密数据中搜索可能的 AES 密钥");
            
            // 尝试 ep 解密数据的每个32字节窗口
            for (int offset = 0; offset <= epDecrypted.length - 32; offset++) {
                byte[] candidateKey = Arrays.copyOfRange(epDecrypted, offset, offset + 32);
                
                // 跳过全零的key
                boolean allZero = true;
                for (byte b : candidateKey) {
                    if (b != 0) {
                        allZero = false;
                        break;
                    }
                }
                if (allZero) continue;
                
                // 尝试解密
                if (tryDecryptDataSilent(candidateKey, dataIv, offset)) {
                    break; // 找到了就停止
                }
            }
            
        } catch (Exception e) {
            System.out.println("\n❌ 错误: " + e.getMessage());
            e.printStackTrace();
        }
    }
    
    private static void tryDecryptData(byte[] key, byte[] iv) {
        try {
            byte[] dataBytes = Base64.getDecoder().decode(DATA_ENCRYPTED);
            byte[] ciphertext = Arrays.copyOfRange(dataBytes, 16, dataBytes.length);
            
            SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
            IvParameterSpec ivSpec = new IvParameterSpec(iv);
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
            byte[] decrypted = cipher.doFinal(ciphertext);
            
            // 尝试 zlib 解压
            try {
                java.util.zip.Inflater inflater = new java.util.zip.Inflater(true);
                inflater.setInput(decrypted);
                ByteArrayOutputStream baos = new ByteArrayOutputStream();
                byte[] buffer = new byte[1024];
                while (!inflater.finished()) {
                    int count = inflater.inflate(buffer);
                    baos.write(buffer, 0, count);
                }
                byte[] decompressed = baos.toByteArray();
                String result = new String(decompressed, StandardCharsets.UTF_8);
                
                if (result.length() > 10 && (result.contains("{") || result.contains("organization"))) {
                    System.out.println("\n🎉🎉🎉 成功解密 data 字段！🎉🎉🎉");
                    System.out.println("=".repeat(80));
                    System.out.println("使用的密钥: " + bytesToHex(key));
                    System.out.println("使用的IV: " + bytesToHex(iv));
                    System.out.println("\n解密内容:");
                    System.out.println(result);
                    System.out.println("=".repeat(80));
                } else {
                    System.out.println("❌ 解密失败：结果不是有效的JSON");
                }
            } catch (Exception e) {
                System.out.println("❌ 解压失败: " + e.getMessage());
            }
            
        } catch (Exception e) {
            System.out.println("❌ 解密失败: " + e.getMessage());
        }
    }
    
    private static boolean tryDecryptDataSilent(byte[] key, byte[] iv, int offset) {
        try {
            byte[] dataBytes = Base64.getDecoder().decode(DATA_ENCRYPTED);
            byte[] ciphertext = Arrays.copyOfRange(dataBytes, 16, dataBytes.length);
            
            SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
            IvParameterSpec ivSpec = new IvParameterSpec(iv);
            Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
            cipher.init(Cipher.DECRYPT_MODE, keySpec, ivSpec);
            byte[] decrypted = cipher.doFinal(ciphertext);
            
            java.util.zip.Inflater inflater = new java.util.zip.Inflater(true);
            inflater.setInput(decrypted);
            ByteArrayOutputStream baos = new ByteArrayOutputStream();
            byte[] buffer = new byte[1024];
            while (!inflater.finished()) {
                int count = inflater.inflate(buffer);
                baos.write(buffer, 0, count);
            }
            byte[] decompressed = baos.toByteArray();
            String result = new String(decompressed, StandardCharsets.UTF_8);
            
            if (result.length() > 10 && (result.contains("{") || result.contains("organization"))) {
                System.out.println("\n🎉🎉🎉 在偏移 " + offset + " 处找到正确的密钥！🎉🎉🎉");
                System.out.println("=".repeat(80));
                System.out.println("密钥位置: 字节 " + offset + " 到 " + (offset + 31));
                System.out.println("密钥: " + bytesToHex(key));
                System.out.println("IV: " + bytesToHex(iv));
                System.out.println("\n解密内容:");
                System.out.println(result);
                System.out.println("=".repeat(80));
                return true;
            }
        } catch (Exception e) {
            // 静默失败
        }
        return false;
    }
}



